Re: [Fed-Talk] export CAC certificate(s) on Big Sur?
Re: [Fed-Talk] export CAC certificate(s) on Big Sur?
- Subject: Re: [Fed-Talk] export CAC certificate(s) on Big Sur?
- From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>
- Date: Thu, 28 Jan 2021 19:00:29 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aexCxCsNi+5lH4wzyTpEKYt0/KYCpWm6lEr3Dw2FIl8=; b=0g/0YRhfUYk2eeuQhDso9ZF+MlxcCFEMBB3NB5PBaLt5l5/fLpY7mbgsA11eM5v0BI85TMJo7FX9jCSlbEC9CfpIPXIC0MoPab/6uKEBaW3XF1pMfsNMctvZeEjqtEw9G45OxlFwa1EDepI4zCyUAqJ2yzybananPvvl9gLyZeGhxdm4uvget2jlTmq1WxiOw0T9aIvHRCtd5L0KkdGMMCHWrElNR3kKS5WVED63u7VgE4ZSIZHlWUQ5ONXf8g3pn2mC2gSwnzUmUgKFhkIC0SvR0T0knR7Of252herGV245olFNhxKRA8mUN5kNmBXjyMu69jQ65nkZB4bruWNnpA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=VuQv+aY2MxBEoBr87aucCqco2OAL6oYz+/XQwkgz277qnhp1G+bqaB4zRg5Z5snX4/MWX6GHvTFzACO4eWu256Wmde5wyiKGO8lLQR/P51M4oyWSOpvWK8PLi63nhEM+U+CuE067q6zjv8rLzFLn4EyfoAsUQKSdwfIvuP9AHgEtsIKytEdeSZK6Ms+lHmGWuJPyFuHHdKOOuZu7Gs5MGXC73ubK0qo1r6VpPQC5j7xHKjb/+U4Qaaj1p9GSPIfPLjDB6ONkQc+HclI2ziBUJOxrThb0rLqIsG+kxCdbgBB5X0xkn1VAh4z7HDqaDU67Y79/ozCwz8xEwLhQQEs9Nw==
- Thread-topic: [Fed-Talk] export CAC certificate(s) on Big Sur?
I'm technical, so all of these solutions are fine for me. But, for Enterprise
use on the Mac, these solutions aren't super convenient for our less
technically inclined users.
For Enterprise – have the local IT build TokenShow.app and push to the managed
Macs. Simple.
On Thu, Jan 28, 2021 at 10:44 AM Blumenthal, Uri - 0553 - MITLL via Fed-talk
<email@hidden> wrote:
Thanks, William.
I found the “commercial” Smart Card Utility to do everything I need, with
multiple tokens and multiple readers (e.g., CAC and Yubikey inserted at the
same time).
TokenShow.app is a true GUI app, and sems nice. Where it fails is when multiple
tokens or even multiple readers are present. It would still export your cert(s)
for you, but fails to “Change PIN” or display the remaining attempts,
displaying “multiple tokens” text instead of a number.
TNX
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are
obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
From: William Cerniuk <email@hidden>
Date: Thursday, January 28, 2021 at 13:39
To: Fed Talk <email@hidden>
Cc: Uri Blumenthal <email@hidden>
Subject: Re: [Fed-Talk] export CAC certificate(s) on Big Sur?
Leveraging Uri’s comment, I have found the app to be rather nice. I have not
exercised it enough to determine if it is a GUI app or a real app; but in light
duty, the ragged edges of a typical GUI app has not shown. (Is a good thing).
--
V/R,
Wm. Cerniuk
iPhone/FaceTime/iMessage/SMS Text: 703.505.0201
On 28-Jan-2021, at 13:23, Blumenthal, Uri - 0553 - MITLL via Fed-talk
<email@hidden> wrote:
If you want GUI – search through the Apple App Store and get the app “Smart
Card Utility”. It does what you need. You can test-drive it for almost a year,
then the purchase cost is $9.99. I just bought it after my trial expired,
because I liked it.
Otherwise – do what Daniel suggested
To export your certs, you can open Terminal.app and run the following:
security export-smartcard -e ~/Desktop/
This will save a .pem file for each certificate and public key to your Desktop.
They will be named something like:
Certificate for PIV Authentication (LASTNAME.FIRSTNAME.EDIPI).pem
Certificate for Digital Signature (LASTNAME.FIRSTNAME.EDIPI).pem
Certificate for Key Management (LASTNAME.FIRSTNAME.EDIPI).pem
Public Key - Certificate for PIV Authentication (LASTNAME.FIRSTNAME.EDIPI).pem
Public Key - Certificate for Digital Signature (LASTNAME.FIRSTNAME.EDIPI).pem
Public Key - Certificate for Key Management (LASTNAME.FIRSTNAME.EDIPI).pem
Or what Ken suggested
If you really need to upload the whole certificate, well, you can find it
under About This Mac -> System Reporter -> Software -> SmartCards.
All of the certificates are displayed in PEM format and you can
cut & paste them from there. I believe you can also use the "security"
command to dump those certificates.
If you have OpenSC installed, uou can from the Terminal window
pkcs15-tool --read-certificate 01
for PIV Auth certificate (cut-n-paste the output, or redirect to a file).
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are
obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
From: Jeff Haferman via Fed-talk <email@hidden>
Reply-To: Jeff Haferman <email@hidden>
Date: Thursday, January 28, 2021 at 12:45
To: "email@hidden" <email@hidden>
Subject: [Fed-Talk] export CAC certificate(s) on Big Sur?
I need to register my CAC in order to access a DoD site
(in this case https://piee.eb.mil/piee-landing/)
Of course the instructions I received assumed an underlying Windows OS (use
Active Client, Internet Explorer, or Edge).
There is one section that says I can do it on a Chrome Browser, but Chrome ends
up opening Keychain Access. When a colleague (on Catalina) does this, he can
see his CAC in Keychain and export his certificates.
On Big Sur, I don't see my CAC certificates. I'm assuming the cause is Big Sur,
but I could be wrong.
Should I be able to see my CAC certificates in Keychain Access on Big Sur? Or
do I need to find a Windows machine?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden